Security lapse makes GPAs visible

[security curmudgeon <jericho () attrition org>]

---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>

http://www.dailyemerald.com/news/security-lapse-makes-gpas-visible-1.236115

By Alex Tomchak Scott
News Editor
Oregon Daily Emerald
August 3, 2009

The University has fixed a security breach in its DuckWeb system after a
student used it to look at three other students' degree audits.

The hole in DuckWeb's security allowed Web users to view certain other
students' degree audits by changing digits in the URL for a
printer-friendly version of their own audits, which contain information
about a student's grades and his or her progress toward a degree.

The student who discovered the breach was Daniel Bachhuber, a former
Emerald employee, who then called the University to alert officials of
the glitch July 22.

University registrar Sue Eveland estimated that the breach, which has
since been repaired, would have made at most 20 different students'
degree audits visible to those who manipulated the URL.

The glitch originated in the system the University uses to upload degree
audits. All degree audits for which information has changed on a given
day are uploaded simultaneously that night and assigned what Eveland
said is a randomly-generated nine-digit number called a batch number.
That number is at the end of the URL for the printer-friendly version of
the audit and it is the one Bachhuber used to access the degree audits.

[...]

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php